DOEREN MAYHEW Continued from page 7
Safeguards
Financial institutions must develop and implement administrative , technical and physical safeguards reasonably designed to protect the security , confidentiality and integrity of such information . The final rule permits them to satisfy this requirement by applying the same security and information handling procedures they use to protect members ’/ customers ’ nonpublic personal information in compliance with Section 501 of the Gramm-Leach-Bliley Act ( GLBA ). Consequently , FinCEN believes the safeguarding requirement will not be onerous , as financial institutions are generally familiar with the GLBA requirements and already have policies , procedures and infrastructure established to comply .
There are also geographic safeguards . For instance , financial institutions cannot make BOI obtained from FinCEN available to persons physically located in , and shall not store such information in , either China or the Russian Federation .
Uses of BOI
In the final rule , FinCEN states “… a financial institution can use BOI obtained from FinCEN to help discharge its AML / CFT obligations under the BSA , including its AML program , customer identification , SAR filing , and enhanced due diligence requirements .” FinCEN also states institutions can use BOI to satisfy other requirements , so long as those requirements are designed to counter money laundering or the financing of terrorism , or safeguard U . S . national security , and are reasonably necessary to obtain or verify BOI of legal entity customers to satisfy those requirements .
At the same time , FinCEN states there are limits to the uses of BOI by financial institutions . The use of BOI should be directly related to an institution ’ s compliance with a legal obligation that is designed to counter money laundering or the financing of terrorism , or to safeguard the national security of the United States . For example , the final rule does not permit institutions to use BOI from FinCEN in assessing whether to extend credit to a legal entity , or in establishing the price of that credit , when credit decisions are unrelated to AML / CFT or national security purposes . Also , FinCEN does not consider general business or commercial uses of BOI , such as client development , to be consistent with AML / CFT or national security purposes .
Foreign Government Notification
A financial institution must notify FinCEN within three business days of receipt of any foreign government subpoena or legal demand under which they would have to disclose any BOI from FinCEN .
Implementation of the Access Rule
FinCEN is taking a phased approach for BOI access . The first stage will be a pilot program for a handful of key federal agency users starting in 2024 . The second stage will extend access to treasury offices and certain federal agencies engaged in law enforcement and national security activities . The next stages will extend access to additional federal agencies , state , local and tribal law enforcement partners and to intermediary federal agencies in connection with foreign government requests . The final stage will provide access to financial institutions and their supervisors .
FinCEN believes there is a good reason for the sequencing of access , making institutions and their supervisors the last category of users receiving access to BOI . FinCEN expects the timing of their access will roughly coincide with the upcoming revision of FinCEN ’ s 2016 CDD rule . They indicated this allows financial institutions to enjoy certain administrative efficiencies by bundling system and compliance changes . FinCEN anticipates providing additional information on the timing and details regarding this phased implementation approach in early 2024 .
Immediate Changes to your BSA / AML Program
The Access Rule does not yet necessitate changes to financial institution Bank Secrecy Act and anti-money laundering compliance programs . At the present moment , financial institutions can continue to comply as is with the existing CDD rule and other existing BSA requirements , such as customer identification program requirements and suspicious activity reporting .
08 | VIEWPOINTS : REGULATORY COMPLIANCE EDITION